In this brief tutorial, we are going to enable users to access any file or directory of a site that is password-protected via htaccess. There are many reasons for wanting to employ this technique, including:

Share public resources from an otherwise private site

Enable visitors to access content during site maintenance

Testing and formatting of layout and design during development

As a webmaster, I have used this technique on several occasions. This trick works great for allowing access to any number of files, directories, and/or combination of both. We will begin with a generalized example, proceed with an explanatory discussion, and wrap things up with a couple of useful modifications.

A Generalized Example

Here is the basic htaccess code enabling users to access a specific directory and file on your domain:

Edit the first Request_URI path to match that of your target directory, and/or the second Request_URI path to match that of your target file (delete either one if not needed).

Afterwards, ensure that everything is functioning properly by attempting to access both your password-protected content and newly accessible directory and/or file. To reassure yourself, try using a few free proxies (Google: “free proxy”) to access your various resources.

Discussion

So, how exactly does this fine slice of htaccess code operate? Let’s break it on down..

AuthType Basic

This line specifies the authorization type, enabling Apache to run the correct function. In this case, and in 99% of the cases I have seen, the authorization type is “Basic”.

AuthName "Restricted Area"

Here we are specifying the message that will be displayed with the password-prompt dialogue box. This is a great place to inform visitors of any publicly available content. For example, you could display something like: “Private Site – Public content available at http://domain.tld/content/”

AuthUserFile /home/path/.htpasswd

In this line, we are specifying the location of the user authentication file. This file should not be available via the Internet (i.e., place in a directory above public_html) because it contains the password verification.

AuthGroupFile /dev/null

Here we are specifying the location of the group authorization file, if any. In this example, because we are not authorizing any groups, we specify a “null” value.

Require valid-user

This line instructs Apache to implement the password protection, essentially saying, “require a valid password” before allowing access.

SetEnvIf Request_URI "(path/to/directory/)$" allow

In this line, we are setting the specified URL request as an allow variable. This variable will be checked later in the script. This line essentially says, “associate the specified URL (i.e., path/to/directory/) with an allow variable.”

SetEnvIf Request_URI "(path/to/file\.php)$" allow

As in the previous line, here we are setting the specified URL request as an allow variable. This variable will be checked later in the script. This line essentially says, “associate the specified URL (i.e., path/to/file\.php) with an allow variable.”

Order allow,deny

Here we designate the order in which access parameters will be evaluated. In this case, we want to consider allowed access before denied access. Especially in this example, the order of these two parameters is critical.

Allow from env=allow

In this line, we are telling Apache to allow access to any resource associated with an allow variable.

Satisfy any

Finally, we wrap things up by instructing Apache to apply the directives for any condition in which the specified parameters have been satisfied ;)

Some tweaks and modifications..

Let’s take a look at a couple of potentially useful modifications..

Allow access to multiple site resources

To allow public user access to more resources, set additional allow variables:

Of course, you will want to customize this code to reflect the various resources for which you would like to allow public access.

Allow webmaster and other sites open access to entire site

Here’s the scene: you have the entire site password-protected via htaccess. You also have allowed open, public access to various site resources, directories, etc. Now, what if you also want to provide unrestricted access to the entire domain for certain, key individuals and sites? Easy, just use this lil’ chunk of htaccess goodness:

To use this code, replace/edit each “Allow from …” line to reflect either the IP address or URL of any sites for which you would like to allow open, unrestricted access. For example, you may want to allow the site administrator(s) open access, along with perhaps a few key validation sites. This is the stuff that web-development dreams are made of!!

Well, that does it for this post. A big thank you goes out to our friend Dave Atkins for inquiring about this technique. And, as always, please share your comments, criticisms, and suggestions with the rest of us ;)

Update: The original version of this article presented a method for allowing open feed access at password-protected sites. Unfortunately, the code did not work as intended thanks to Apache’s virtually complete lack of support for query strings. Needless to say, this article has been rewritten to demonstrate a generalized technique for enabling access to files and directories.

Great post!
I am having an issue with the allowing of a website. I don’t know wether I’m doing it wrong but, if I allow a website access to mine does that mean that I can put a link inside the website I am allowing access to my site which when clicked will allow people access to my site.

Site (a) has a link to site (b). Site (b) has the code in htaccess to allow site (a) in. The user clicks the link in site (a) and they now have access to (b)

Your trick works fine on my desktop, but on a Blackberry or HTC mobile, I get an annoying authentication pop-up. If I then cancel the authentication, it works fine, but do you have any ideas on how to prevent the pop-up also on these mobiles?

Books

Links

About the site

Perishable Press is the work of Jeff Starr, professional developer, designer, author, and publisher with over 10 years of experience. Check out some of Jeff's books and projects, follow on Twitter, or learn more »

Fun fact: Perishable Press has been online since 2005, and now features over 700 articles and more than 11,000 comments. More stats »